Senate Hearing Grills Equifax, Marriott CEOs On Data Breaches

Data privacy and security is becoming a popular political issue, and the latest proof of that came Thursday (March 7) on Capitol Hill.

During a hearing for the U.S. Senate Homeland Security and Governmental Affairs Subcommittee on Investigations, executives from Equifax and Marriott were called out on their companies’ recent data breaches, while other witnesses helped describe the current landscape when it comes to online privacy and data security.

The hearing took place at a time of increasing scrutiny for online privacy and security. Among the most recent support for that point is a fresh push in California among lawmakers to make their strictest-in-the-nation data privacy law even tougher. During the Senate hearing on Thursday, much of the attention was focused not on any possible new laws, but on seeking accountability for two of the most serious data breaches to recently hit the worlds of payment and commerce.

According to reports, Equifax CEO Mark Begor, along with some of his fellow Equifax executives, might have gotten the worst of it during the hearing. The committee released a report on how Equifax handled its data security leading up to the data breach that resulted in the credit card data exposure of 143 million people. Equifax disclosed the hack in September of 2017.

That report pointed out that Equifax’s competitors have not suffered similar breaches, and took the company to task for its failings in tech and cybersecurity operations, as well as its handling of employees’ warnings to a top executive about security flaws. One portion of the report depicted executives shrugging off security meetings in March of 2017, at a time when a flaw in the open-source software Apache Struts was hurting financial companies. The flaw went unpatched at Equifax and created the entry point for hackers.

During the hearing, Begor pointed out that all U.S. firms were falling victim to online attacks, noting that there were 1,200 data breaches in the U.S. last year. “These attacks are no longer just a hacker in the basement attempting to penetrate a company’s security perimeter, but instead are carried out by increasingly sophisticated criminal rings, or — even more challenging — well-funded nation-state actors or military arms of nation-states,” he said.

Marriott’s data breach, which occurred in late November, impacted the records of 383 million guests, but didn’t include as much sensitive data as the Equifax incident. That might be why, in the view of CNBC, the Senate committee “went easier on Marriott, with one senator beginning the hearing by saying the hotel chain’s breach didn’t appear to have the same ‘cultural’ component as Equifax’s.”

According to Senator Tom Carper (D-DE), “The data breach announced by Marriott this past November does not appear to have been caused by the same cultural indifference to cybersecurity [that] the record indicates existed at Equifax. Rather, it looks like Marriott inherited this breach from Starwood.”

As part of the hearing, the U.S. Federal Trade Commission, via Bureau of Consumer Protection Director Andrew Smith, said the federal agency “has settled or litigated more than 60 law enforcement actions against businesses that allegedly failed to take reasonable precautions to protect consumers’ data. Among those have been cases against manufacturers of consumer products like smartphones, computers, routers and connected toys, as well as against companies that collect consumers’ sensitive personal information.”

It was unclear on Thursday afternoon what, if any, new proposals or initiatives might emerge from this hearing. Yet, it is not unreasonable to say the hearings provided fresh fuel for ongoing data privacy and security efforts, a push that is having a big political and cultural moment as spring approaches.